Posted
by
kdawson
on Tuesday November 23, 2010 @01:37PM
from the sweet-sounds-of-cash-dropping-into-our-hands dept.

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

Personally I’m all for a one time password key token type device. You have a little key fob dealie generating numbers via a stream cipher at an interval (and with a key) synced with your bank. Once a pin is used, it is invalidated, so an attacker would have to skim the code, than use it before you punched it in. You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy “3 factor authentication”.

Heck you could even automate the first bit with some kind of challenge/response system.

This isn’t a radical or new idea.. people have been talking about this forever, and a few systems like this have actually been implemented.. but I don’t get why this isn’t wide spread yet? Are there vulnerabilities, user issues, or is it just a case of “cheaper to fix the problems reactively than prevent them”?

As has been said, security is a trade off of convenience. But I think money is one area people might be willing to put up with a slightly more cumbersome process.

You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".

Sorry, One reason this will fail - People are inherently lazy.

If they can't get their swipe and walk away then they'll not be happy...

Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.

I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on

CC's have had PINs the entire time here in Canada. Probably everywhere else too. When those machines first came out, I would have people yelling at me that I was wrong and their card never had a PIN ever. This happened more often than you think. So many of them want me too just 'punch it in manually'. I just say we're not equipped for it.

Money transactions should never be made convenient. This transition we're experiencing into chip+pin in Canada has made me realize that more now than ever before.

I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on

Have they fixed the idiotic security issue with chip+PIN yet? You know, the one where the chip verifies the PIN? I remember a story where it turns out during PIN verification, the chip sends the reader an "OK" value (0x90, I believe?) if the PIN is OK and the transaction goes through. No, the bank's not checking your PIN at all - it's all done on the card you have. Which means anyone who can clone it doesn't need a PIN.

It is a feature that the card confirms the PIN. This allows offline-transactions, and is not per se insecure, if the protocol between terminal+card would have been designed correctly (which it unfortunately was not). The problem (link [cam.ac.uk]) is, that the current protocol allows a man-in-the-middle degradation attack: Ther terminal uses PIN+chip, but the man-in-the-middle tells the card not to use PIN+chip (i.e. to use chip+sign). The confirmation of the card is used to make the terminal think the PIN was accepted

Chip and PIN is horrible, and most people in the UK only think it is more secure cause their banks tell them it is. It isn't, it in fact shifts liability from the bank to the consumer -- it's horrible. However, due to a great advertising campaign, most brits will be very skeptical of any non CHip+PIN card thinking it horribly outdated and insecure. In Australia, we can't swipe without entering a PIN or signing, the same as in most sane countries.

People are not inherently lazy. Civilization would not have made it this far if we were. It is an environmental effect that has been created by us; Not one of inheritance. People have been trained to be lazy.

Just carry a ballpeen hammer around with you. Before inserting your card, take a couple of good hard swipes with the hammer. Skimmers aren't mounted solidly, and the rest of the machine is pretty much unbreakable.

Pull skimmer equipment off the ATM and walk away with it and your are likely to get busted by feds or local cops who may be monitoring the machine.
If not, you are likely to be confronted by the scammer who put the thing there in the first place. It's not uncommon for these things to disappear the minute someone from the bank notices something's wrong and goes inside to report it. That's because the thieves often are somewhere nearby watching the machine.

Not only that, but the camera may have already taken your photo with it in hand. The criminal who put it there however, may have contorted to avoid the camera while installing the skimmer. So yes, the hero gets thrown behind bars as it usually goes.

Uh, I would not be too worried about that if the skimmer was just there installing it. I am pretty sure that if a skimmer is caught on tape doing it, they will see you removing it. If they are not going to stop some dude from installing a skimmer on an atm, i highly doubt they will care if you give the machine a few small hits from a ballpeen hammer

Why would banks care about that? Secure digital cash systems have been around for a very long time, but banks do not like the concept very much, probably because it would mean losing certain revenue streams. Credit card processors and banks sell spending data to marketing firms; secure digital cash generally makes that difficult or impossible, since digital cash allows for anonymous payments. Additionally, digital cash would make it hard for banks to do things like profit from debit card overdraft fees (although with the new regulations, perhaps this is less of a valid argument).

It is not that the technology is not there, it is that it solves the wrong problem.

I would then need to carry at least three with me. I know people who would need more than that. So unless there is some way to centralize this and everybody agrees on what to use, this will be a burden, not a blessing.

I already dislike it with online banking. I am now able to do things online only at home, as I do not want to carry it around with me and risk of loosing it.

I have one with my bank (Bank of America). It is a credit card, or so it appears at first glance. Looking closer you notice it has a smart chip in it and that the 6 digit number in one corner looks a lot like a segmented LCD readout. It is actually eInk, so it doesn't draw power except to change. Squeeze the button, it generates a new code. My online account is set up so that is required to get in, as well as a password. However the ATMs for the same bank take no note of it. That just uses regular debit car

Seems silly that the bank would push this new security feature but not use it for ATMs.

Or they should atleast (I am assuming they don't) provide you the option to not allow the card to be used by devices which don't support this.

I really hate that.. it's like the whole "verified by visa". Useless because someone can just use your card at a site that doesn't require it. All it serves is to protect site owners (which may have been the point.. but it could have served both site and card owner).

You can get that kind of security here in the US for online bank transactions. Bank of America has an option where the bank sends a text to your cell phone containing a unique code that you have just a few minutes to enter on their website in order to execute a transaction online. In addition to that they offer an RSA type of device that you can buy, but I think texting to your cell phone works just as well, unless you have reception issues.

Even better than that, there is an RSA SecureID application for smartphones (Blackberry and iPhone). You do not even need the dongle anymore. Just fire up the app on your cellphone to get the current PIN.

How about they use the BILLIONS of dollars they are freely collecting in fees from these machines to actually provide security? I live in the capital of my state and in the entire city there is exactly 1 ATM that's located inside it's own enclosure (about the size of a small bathroom) you have to swipe your card for the door to open, it will not open for anyone else until you leave, and it takes your picture when you walk in. Anyone attempting to tamper with this ATM would first need a valid ATM card (which

First off ANY card will open that outer door,Second, Ok, the thief goes in and places his device right after the bank closes on friday and takes it back sunday morning Hm, you security guy reviews the tap on monday sometime but all the accounts have already been cleaned out sunday.

The skimmer collects the card info, the camera records the pin, and the thief gets all our money.

IC card based authentication is well-kown and established, and is secure against skimming attacks without the need of external devices. Just slip in the card and enter your PIN. Even if your PIN is observed it's useless without the chip, and the chip is not easily readable (and thus, not really copy-able). The technology has been around for years (at least since the 1990), and is widely used. Only missing step is for the credit card companies to 1. adopt them (they are actually in the process of doing this,

A simple two factor solution, requiring no additional hardware for the average consumer has long existed. Leverage the existing cellphone. There's a commercial firm with a packaged solution (www.PhoneFactor.com) out there.

However, the cost of such services+customer resistance may well keep it out of wide spread usage.

Just because it's possible to be safer, doesn't necessarily make it cost effective.

However, most customers would probably be less resistant to using their phone than carrying yet another device

Phrack, nice. Only been a decade since I've seen a Phrack reference. Probably got some Phrack printouts with some 2600 mags in a storage bin somewhere. I wonder what the modern underground magazine of record is nowadays

If anything, the only surprise here is that criminals were ever not taking advantage of cheap MP3 player/recorder hardware. The economies of scale with your basic anonymous fleabay-special "designers MP5 player" are stupendous, and most of the (comparatively) difficult stuff is in software, which is an easier trail to hide...

Take something like a digital audio recorder as the core, and add a walkman cassett head, and peice them together with a few passive components, and you have a simple, cheap and effective device to skim credit cards.

Later you download the recorded audio (it is a Digital audio recorder) and run it through say a quick matlab script, and you decode the card data.

Not all magstripe cards operate on a digital encoding method. SOME cardsencode AUDIO TONES, as opposed to digital data. These cards are usuallyused with old, outdated, industrial-strength equipment where security is not anissue and not a great deal of data need be encoded on the card. Some subwaypasses are like this. They require only expiration data on the magstripe, anda short series of varying frequencies and durations are enough. Frequencieswill vary with the speed of swiping, but RELATIVE frequencies will remain thesame (for instance, tone 1 is twice the freq. of tone 2, and.5 the freq oftone 3, regardless of the original frequencies!). Grab an oscilloscope tovisualize the tones, and listen to them on your stereo. I haven't experimentedwith these types of cards at all.

Only being used with outdated equipment where security isn't an issue? This was written in 1992! Assuming the format hasn't changed much on these new systems, why the hell are ATMs now(still?) using this format?

The last image in the article shows a screenshot of a tool that has decoded a waveform skimmed from a magstripe. It's clearly showing flux reversals from Manchester encoded data and not any sort of "audio" signal.

Because most ATMs run Windows XP... and I am not kidding.
At the local 7-11 I can look inside the ATM at the back, where it has a small monitor, and it clearly is Windows XP.
Windows XP is also running your ATM... [guardian.co.uk]

Lots of comments here about "OMG they're recording the sound of the keypad" or audio tone encoding on the cards, which is silly. It uses a magnetic head to read the stripe, and just records the flux as audio instead of digitally. It's not a bad idea really, though not terribly new - just a different method of recording the same data, which is ultimately just a bunch of 1's and 0's relatively timed to how fast you slide the card through.Nothing is recording audio of your keypresses (which usually are just

Might it help to make card readers transparent - so there's nothing but clear plastic and a very small read head with some wires leading off into the ATM?Then if you ever see other electronic cruft surrounding the read head, or see a non-transparent reader, you'd know to be suspicious...